in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

File Security: Junior Staffer Leaks US House Ethics Doc Via P2P

The US Ethics Committee has announced that a recent document leak was caused by junior staffer who installed file-sharing software on his personal computer.  This statement actually raises questions.  It is also testament to how data security requires a holistic approach that includes data loss prevention and data encryption software, among other information leak prevention practices.

Numerous Files Leaked

Prior to the announcement by the House Committee on Standards of Official Conduct (aka, the Ethics Committee), it was assumed that the leak was via hacker activity.  However, what really happened was that a junior staffer, since fired, took sensitive documents home and used his personal computer to work on them.  His personal computer had file-sharing software.

Other documents, besides the Ethics Committee's document, were also leaked via the same manner.

Questions Raised

I'm not sure how this could have happened.  I understand the technical aspects of how, but there are too many questions to resolve:

  • Why's a junior staffer carrying around such documents?  According to the washingtonpost.com, the Ethics committee is one of the most secretive panels in Congress.  And a junior staffer is allowed to take documents related to investigations home?

  • Assuming a junior staffer is allowed to take said documents, where are the data protection tools?  Even if a junior staffer is allowed to home such documents (heck, he's already working on it at the office, so he knows the contents), I'm pretty sure losing such documents wouldn't be allowed.

    I take it the documents that were leaked were digital files.  Where's the encryption to protect these files from unauthorized access?

  • If the file wasn't encrypted, was he at least using an encrypted storage device?  I mean, if a sensitive file is not encrypted because it's in a secure environment--both in terms of destination and origin--at least that file must be protected while in transit from point A to point B.  Did the staffer use a USB disk or something similar?  Was it encrypted?  Did he save it directly to his personal laptop while at work?

I could go on and on...

People's Behavior Part Of Data Loss Prevention Policies

The major problem and security loophole in this case is the staffer's behavior.  Granted, if the documents he had transferred to his personal laptop were protected with file encryption, the ramifications of a P2P-based data breach would have been negated.

(Encrypted files are protected at the file level, and would require the right authorization code to gain access.  Note that this is not the same as having password-protection, which is virtually useless.)

However, seeing how the staffer was not exercising proper data security practices, chances are he had malware installed on his computer already.  One of these could have been a keystroke logger.

With one of these installed, the use of encryption is often nullified because a third party is able to obtain the passwords for accessing data.

The best policy may have been not have these document taken out from the Ethics Committee's perimeter (which I'm assuming had the right data protection tools in place).

Related Articles and Sites:
http://www.computerworld.com/s/article/9140154/Leaked_House_Ethics_document_spreads_on_the_Net_via_P2P?source=rss_security
http://www.washingtonpost.com/wp-dyn/content/story/2009/10/29/ST2009102904609.html?sid=ST2009102904609

 
<Previous Next>

Drive Encryption: Missing Tape Affects UK Farmers Tied To RPA

Laptop Encryption Software: BlueCross BlueShield Breach, A Personal Take

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.